Posted
by
timothy
on Thursday June 19, 2014 @12:33PM
from the seller's-market dept.

msm1267 (2804139) writes Incentivized by a minimal amount of cash, computer users who took part in a study were willing to agree to download an executable file to their machines without questioning the potential consequences. The more cash the researchers offered, capping out at $1, the more people complied with the experiment. The results toss a big bucket of cold water on long-standing security awareness training advice that urges people not to trust third-party downloads from unknown sources in order to guard the sanctity of their computer. A Hershey bar or a Kennedy half-dollar, apparently, sends people spiraling off course pretty rapidly and opens up a potential new malware distribution channel for hackers willing to compensate users. The study was released recently in a paper called: "It's All About The Benjamins: An empirical study on incentivizing users to ignore security advice." While fewer than half of the people who viewed the task actually ran the benign executable when offered a penny to do so, the numbers jumped to 58 percent when offered 50 cents, and 64 percent when offered $1.

"Because the Red Pill VM-detection routine [28] only works reliably on single-CPU
computers, we also collected information on the number of CPUs. Using Red Pill, we
detected the presence of a VM on a single participant’s machine. Examining each partic-
ipants’ process lists, we were able to confirm that this participant was running VMware.
Additionally, we detected VMware Tools running on an additional fifteen machines
(sixteen in total), and Parallels Tools running on a single machine. Thus, we can con-
firm that at least seventeen participants (1.8% of 965) took the precaution of using a
VM to execute our code. Eleven of these participants were in the $1.00 condition, five
were in the $0.50 condition, and one was in the $0.01 condition. The information we
collected on participants’ motherboards was not useful in determining VM usage."

Apparently you weren't the only one who thought so; but the numbers were small. 16 VMware VMs, 1 Parallels (which, since the study required windows to participate, may have been a security measure or may have been a mac user willing to hose his 'everything I need windows for' machine...)

No word, obviously, on anybody who is a bit more subtle about their VM usage; but I'd be shocked if that number is high.